CVE-2024-47613

Name of the Vulnerable Software and Affected Versions GStreamer versions prior to 1.24.10

Description A null pointer dereference vulnerability has been identified in the gst gdk pixbuf dec flush function within gstgdkpixbufdec.c. This function invokes memcpy, using out pix as the destination address. out pix is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can point to a NULL frame, causing the subsequent call to memcpy to attempt writing to the null address (0x00), leading to a null pointer dereference. This can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

Recommendations Update to version 1.24.10 to fix the vulnerability. As a temporary workaround, consider disabling the gst gdk pixbuf dec flush function until a patch is available. Restrict access to the gstgdkpixbufdec.c module to minimize the risk of exploitation. Avoid using the out pix variable in the affected function until the issue is resolved.